Hi,

I have a small virtual server in the net to run a web page that nobody ever visits anymore, if anybody ever did.

It runs SuSE 10.3.

About 2 months ago, my ISP informed me that it had been hacked and they took it off the net because it was running a DOS attack on a DNS server.
They would release it when I was ready to fix it.

They provide this tcpdump trace:

15:49:43.000000 IP my-ip.49271 > dns-server.0.0.53: [|domain]
...

I informed them that I was ready and got into the machine, but could find nothing that had been changed. The last(1) command showed nothing
out of the ordinary. I use a good password.


Could it be possible that those packets were injected from somewhere else? Even possibly modifying the source MAC address?


About 2 weeks ago, they informed me that the server was running a DOS attack again and had been taken off the net.

They included this log:

List of malicious processes:===============================
wwwrun 56545 0.0 0.0 23012 4204 ? S Apr26 00:05:13 /usr/local/apache/bin/httpd -DSSL
...


These ps-like lines where followed by stanzas like:

Details for pid 56545:
process name = perl
cmdline = /usr/local/apache/bin/httpd -DSSL
exec = /usr/bin/perl
cwd = /
started = 2017-04-26 19:37:01


Is wwwrun a user on my machine? I see on the net that it has something to do with a Content Management System, which I don't use.
Apache is the most complicated application on the machine.

The last section of the trace was this:

FULL PROCESS LIST:
===================
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 55784 0.0 0.0 820 100 ? Ss Mar14 00:01:04 init [3]
root 55787 0.0 0.0 0 0 ? S Mar14 00:00:00 [kthreadd/406983]
root 55788 0.0 0.0 0 0 ? S Mar14 00:00:00 [khelper/4069839]
100 56528 0.0 0.0 14628 844 ? Ss Mar14 00:00:05 /bin/dbus-daemon --system
root 56544 0.0 0.0 5836 308 ? Ss Mar14 00:00:00 /sbin/resmgrd
root 56559 0.0 0.0 24004 1296 ? Ss Mar14 00:00:01 /usr/sbin/console-kit-daemon
103 56575 0.0 0.0 31692 1492 ? Ss Mar14 00:00:01 /usr/sbin/hald --daemon=yes
root 56576 0.0 0.0 17600 992 ? S Mar14 00:00:00 hald-runner
avahi 57125 0.0 0.0 27500 1212 ? Ss Mar14 00:00:00 avahi-daemon: running [s15219938.local]
root 57144 0.0 0.0 29116 724 ? Ss Mar14 00:00:00 /usr/sbin/saslauthd -a pam -n 2
root 57145 0.0 0.0 29116 460 ? S Mar14 00:00:00 /usr/sbin/saslauthd -a pam -n 2
root 57160 0.0 0.0 5860 688 ? Ss Mar14 00:00:49 /sbin/syslogd -a /var/lib/named/dev/log
root 57181 0.0 0.0 10068 524 ? Ss Mar14 00:00:00 /usr/sbin/avahi-dnsconfd -D
root 57205 0.0 0.0 18064 736 ? S Mar14 00:00:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=imapd -maxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143 /
usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd

There's no wwwrun there. On the other hand, it's pretty sparse.

Is it necessarily a worm or virus, and if so, how would I go about isolating it, and finding how it got in?

TIA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2017-05-25, Lost in the Future <joe@somewhere.org> wrote:

About 2 weeks ago, they informed me that the server was running a DOS attack again and had been taken off the net.

They included this log:

List of malicious processes:===============================
wwwrun 56545 0.0 0.0 23012 4204 ? S Apr26 00:05:13 /usr/local/apache/bin/httpd -DSSL

[ ... ]

Is wwwrun a user on my machine?

Not unless "they" who included "this log" have an account on your
machine and got the log from there.

Why would ISP people be sending you logs from your own machine?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 25 May 2017 22:48:41 +0000, Kaz Kylheku wrote:

On 2017-05-25, Lost in the Future <joe@somewhere.org> wrote:

About 2 weeks ago, they informed me that the server was running a DOS attack again and had been taken off the net.

They included this log:

List of malicious processes:===============================
wwwrun 56545 0.0 0.0 23012 4204 ? S Apr26 00:05:13 /usr/local/apache/bin/httpd -DSSL

[ ... ]

Is wwwrun a user on my machine?

Not unless "they" who included "this log" have an account on your
machine and got the log from there.

Why would ISP people be sending you logs from your own machine?

It's a virtual server. It could even be that it's running on some giant
piece of hardware somewhere, with hundreds of others.

The ISP doesn't have an "account" but "plesk" is apparently the
virtualization software, which apparently gives them considerable access
(I can't see it from inside the machine, though).

As can be seen from the posting, they sent me what they said was the "FULL PROCESS LIST" (from my machine, presumably),
although it's hard to imagine that it would ever run with so few
processes. Either it ain't true that it's the "FULL PROCESS LIST", or the virus actually rebooted my machine to do it's evil work and then rebooted
it again with the normal configuration when it was done.

I'm sure they'd say that they got the tcpdump from the combined stream of
all virtual servers to their internet feed. I'm asking myself - how do
they know it was my box - even though it was my address - which, of
course, can be faked.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 25 May 2017 22:48:41 +0000, Kaz Kylheku wrote:

On 2017-05-25, Lost in the Future <joe@somewhere.org> wrote:

About 2 weeks ago, they informed me that the server was running a DOS attack again and had been taken off the net.

They included this log:

List of malicious processes:===============================
wwwrun 56545 0.0 0.0 23012 4204 ? S Apr26 00:05:13 /usr/local/apache/bin/httpd -DSSL

[ ... ]

Is wwwrun a user on my machine?

Not unless "they" who included "this log" have an account on your
machine and got the log from there.

Why would ISP people be sending you logs from your own machine?

It's a virtual server. It could even be that it's running on some giant piece of hardware somewhere, with hundreds of others.

The ISP doesn't have an "account" but "plesk" is apparently the virtualization software, which apparently gives them considerable
access (I can't see it from inside the machine, though).

As can be seen from the posting, they sent me what they said was the "FULL PROCESS LIST" (from my machine, presumably),
although it's hard to imagine that it would ever run with so few processes. Either it ain't true that it's the "FULL PROCESS
LIST", or the virus actually rebooted my machine to do it's evil work and then rebooted it again with the normal configuration
when it was done.

I'm sure they'd say that they got the tcpdump from the combined stream of all virtual servers to their internet feed. I'm
asking myself - how do they know it was my box - even though it was my address - which, of course, can be faked.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Lost in the Future <joe@somewhere.org> wrote:

List of malicious processes:===============================

wwwrun 56545 0.0 0.0 23012 4204 ? S Apr26 00:05:13 /usr/local/apache/bin/httpd -DSSL

[ ... ]

Is wwwrun a user on my machine?

To answer your questions about that sort of stuff, we'd probably need a
bit more Info about your setup, such as which OS you are running
(Distro, version etc).

To check if you have an user named wwwrun on your Server, look in the /etc/passwd file. An usual place to hide malware on a *nix-System is to
have it either completely located or called from the crontab of some
user. So also check the stuff found under the /var/cron/ directory

It's a virtual server. It could even be that it's running on some giant piece of hardware somewhere, with hundreds of others.

your Hosting provider can figure out from what VM the traffic originated

The ISP doesn't have an "account" but "plesk" is apparently the virtualization software, which apparently gives them considerable access

Plesk is an interesting choice for an hypervisor, especially since it
per default only includes Docker. I'd have expected it to run on
libvirt/KVM or Xen, or maybe VMware.

--
Johannes

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)